Mon Oct 24 23:27:42 1994 Theodore Y. Ts'o (tytso@rt-11) * fcntl.c (sys_fcntl): Liberalize security checks which Alan Cox put in. Thu Oct 20 23:44:22 1994 Theodore Y. Ts'o (tytso@rt-11) * fcntl.c (sys_fcntl): Add more of a security check to the F_SETOWN fcntl(). [Tons of changes missed, indeed. This list is worth restarting since at least some fixes WILL break third-party filesystems. Sorry, but there was no other way to fix rmdir/rename deadlock, for one.] Wed Dec 2 (Linus, fill the rest, please) * namei.c (do_rmdir) and rmdir method in filesystems: Locking of directory we remove was taken to VFS. See comments in do_rmdir(). Unfixed filesystems will bloody likely deadlock in rmdir(). Thu Dec 3 17:25:31 1998 Al Viro (viro@math.psu.edu) * namei.c (do_rmdir): Reject non-directories here. Two (probably) obsolete checks moved here too: we fail if the directory we remove is the same as parent (BUG: we serve mountpoints later) or if it lives on a different device. * sysv/namei.c (sysv_rmdir): See sysv/CHANGES Fri Dec 4 00:54:12 1998 AV * namei.c (check_sticky): New function check_sticky(dir, inode). If dir is sticky check whether we can unlink/rmdir/rename the inode. Returns 1 if we can't. If dir isn't sticky - return 0 (i.e. no objections). Some filesystems require suser() here; some are fine with CAP_FOWNER. The later seems more reasonable. * namei.c (do_rmdir): Moved the check for sticky bit here. * affs/{inode,namei}.c: All AFFS directories have sticky semantics (i.e. non-owner having write permisssions on directory can unlink/rmdir/rename only the files he owns), but AFFS didn't set S_ISVTX on them. Fixed. NB: maybe this behaviour should be controlled by mount option. Obvious values being 'sticky' (current behaviour), 'nonsticky' (normal behaviour) and maybe some play on 'D' permissions bit. FIXME. * qnx4/namei.c (qnx4_rmdir): Plugged inode leak. * ufs/namei.c (ufs_rmdir): Changed handling of busy directory to new scheme. Fri Dec 4 10:30:58 1998 AV * namei.c (VFS_rmdir): New function. It gets inode of the parent and dentry of the victim, does all checks and applies fs-specific rmdir() method. It should be called with semaphores down on both the victim and its parent and with bumped d_count on victim (see comments in do_rmdir). * include/linux/fs.h: Added VFS_rmdir * kernel/ksyms.c: Added VFS_rmdir to export list (for NFSD). * nfsd/vfs.c: Fixed rmdir handling. Tue Dec 8 05:55:08 1998 AV * vfat/namei.c: Fixed the bug in vfat_rename() introduced in the first round of rmdir fixes. Wed Dec 9 03:06:10 1998 AV * namei.c (do_rename): part of fs-independent checks had been moved here (sticky bit handling, type mismatches). Cases of the source or target being append-only or immutable also went here - if we check it for parent we could as well do it for children. * {affs,ext2,minix,sysv,ufs}/namei.c (do_*_rename): Removed tests that went to VFS, it simplified the code big way. Fixed a race in check for empty target - we should check for extra owners _before_ checking for emptiness, not after it. * {ext2,ufs}/namei.c (do_*_rename): VERY nasty bug shot: if somebody mkdired /tmp/cca01234, went there, rmdired '.', waited till somebody created a file with the same name and said mv . /tmp/goodbye_sticky_bit... Well, goodbye sticky bit. Down, not across! * {minix,sysv}/namei.c (do_*_rename): Incorrect check for other owners (i_count instead of d_count). Fixed. * vfat: Looks like the changes above fixed a bug in VFAT - this beast used to allow renaming file over directory and vice versa. Wed Dec 9 08:00:27 1998 AV * namei.c (VFS_rename): New function. It gets the same arguments as ->rename() method, does all checks and applies fs-specific rmdir() method. It should be called with semaphores down on both parents. * include/linux/fs.h: Added VFS_rename * kernel/ksyms.c: Added VFS_rename to export list (for NFSD). * nfsd/vfs.c: Changed rename handling (switched to VFS_rename). Wed Dec 9 18:16:27 1998 AV * namei.c (do_unlink): handling of sticky bit went here. * {affs,ext2,minix,qnx4,sysv,ufs}/namei.c (*_unlink): removed handling of sticky bit. * qnx4/namei.c (qnx4_unlink): Yet another inode leak. Fixed. Thu Dec 10 04:55:26 1998 AV * {ext2,minix,sysv,ufs}/namei.c (*_mknod): removed meaningless code handling attempts to mknod symlinks and directories. VFS protects us from _that_ and if this code would ever be called we'ld get a filesystem corruption. Thu Dec 10 16:58:50 1998 AV * namei.c (do_rename): Fixed dentry leak that had been introduced by the first round of rmdir fixes. Fri Dec 11 14:57:17 1998 AV * msdos/namei.c (msdos_rmdir): Fixed race in emptiness check. Sat Dec 12 19:59:57 1998 AV * msdos/namei.c (msdos_mkdir): Fixed the evil breakage introduced by the changes of rmdir locking scheme. We shouldn't call msdos_rmdir from there. Sun Dec 13 02:05:16 1998 AV * namei.c (do_unlink): Added new function: vfs_unlink, with the same arguments as ->unlink() method. * kernel/ksyms.c: Made it exported. * include/linux/fs.h: Added prototype. * nfsd/vfs.c: Changed handling of unlink (switched to vfs_unlink) * {ext2,ufs}/namei.c (*_unlink): moved handling of imm./append-only to VFS. Wed Dec 16 06:10:04 1998 AV * namei.c (may_create, may_delete): New inline functions. They check whether creation/deletion is permitted. Checks from other places of namei.c went there. Looks like originally I misread permission-related stuff both here and in nfsd. In particular, checks for immutable are done in permission(). D'oh. * unlink on directory should return -EISDIR, not -EPERM as it used to do. Fixed. * rmdir of immutable/append-only directory shouldn't be allowed. Fixed. Remains unfixed: * rename's handling of races is, erm, not optimal. Looks like I know what to do, but this thing needs some more cleanup - we can take care of almost all races in VFS and be much more graceful wrt locking. Moreover, it would give strong lookup atomicity. But it's a lot of changes to lookup and dcache code, so it will go after the fs drivers' cleanup. * affs allows HARD links to directories. VFS is, to put it politely, not too ready to cope with _that_. And I'm not sure it should be - looks like they are pretty much similar to symlinks. * truncate doesn't give a damn about IO errors and disk overflows (on braindead filesystems). I've submitted a patch to Linus, but looks like it wasn't applied. * msdos: shouldn't we treat SYS as IMMUTABLE? Makes sense, IMHO.